Working with Correlation Rules

If a Correlation RuleConstructed with a flowchart consisting of an Input, DecisionA component of a Correlation Rule, a Decision defines a condition that determines if the rule continues correlating a log message.(s), and Output(s), a CorrelationThe examination of Normalized Messages for events of interest, along with the ability to initiate appropriate responses; for example, sending an email notification to specified recipients. Rule correlates log messages to identify events of interest. is enabled and assigned to a Manager's Correlation EngineThe component of your Primary ManagerEach TLC environmentConsists of all TLC software, Managers, Log Sources, Monitored Assets, Collectors, and data in your TLC installation. has a single Primary Manager that controls: 1. The storing of log messages in the Audit LoggerThe TLC Console1. Tripwire LogCenter Console is the software for the TLC graphic user interface (GUI), or 2. The Tripwire LogCenter GUI. Through the TLC Console, you can configure TLC, oversee your TLC environment, and manage log and event data. component in which you can work with the log messages collected by TLC. File Store and Events in Event1. Either a log message that a Manager has standardized (i.e. normalized) for use by TLC (a.k.a. Normalized Messages), or an event or vulnerability imported from a scanner. 2. An 'event message' collected from a Log Source.-Management Databases, 2. The configuration settings for your TLC environment, and 3. User access and license management for TLC. responsible for identifying events of interest. To correlate events, the Correlation Engine applies Correlation Rules to the Normalized Messages received from the NormalizationThe process of standardizing log messages for use by TLC. Standardized messages are known as Normalized Messages. Engine., TLC uses the rule to correlate Normalized Messages from the "Inputs" specified by the rule. The Input for a rule can either be a CollectorA TLC module that gathers or receives log messages from Log Sources. or a Correlation Engine. For more information about correlation, see How does Event Correlation work?.

Tip	Tripwire recommends that you regularly download the latest Tripwire-defined TLC content from the Tripwire Web site. Tripwire-defined content includes Normalization Rules, Normalization Aliases, Correlation Rules, Correlation Lists, and some Tasks. For instructions, see Updating TLC with the Latest Tripwire Content.

	VIDEO:  Creating a Correlation Rule

To create, enable, change, or delete a Correlation Rule:

1.

In the side bar, select Resources >Configuration ManagerIn the Configuration Manager, you can create and configure TLC Resources (Monitored Assets, AssetA Log Source in your TLC environment. See Monitored Assets and Discovered Assets. Groups, Managers, Locations, Event-Management Databases), normalization objects (Normalization Rules, Aliases, and Normalized-Message Filters), and correlation objects (Correlation Engines, Rules, Lists, and Actions)..

2.

In the side bar of the Configuration Manager, select Correlation >Rules.

3.

In the workspace table, TLC presents a list of all Correlation Rules in your TLC environment. Under the Correlation Rules option in the side bar of the Configuration Manager, TLC lists the Tripwire-defined Correlation-Rule Groups created by default for your TLC environment. To view the rules in a Correlation-Rule Group, select the group.

Tip	You can sort, group, and filter the contents of tables. For more information, see Working with Tables).

To create a new Correlation Rule:

a.

ClickAdd.

b.

Complete the Correlation Rule tab and click Save and Exit. For further details, see Defining a Correlation Rule.

To create a copy of an existing rule:

a.

In the workspace, right-click the rule and selectCopy selected rule.

b.

Complete the Correlation Rule tab and clickSave and Exit.

To modify an existing rule:

a.

In the workspace, double-click the rule.

b.

As needed, edit the Correlation Rule tab and clickSave and Exit.

Caution	Tripwire recommends that you do not make any changes to the Tripwire-defined Correlation Rules created by the TLC ManagerTripwire LogCenter Manager is the core software in your TLC environment. TLC Manager collects and processes log messages from a wide variety of systems and devices. installer.

To enable a disabled rule, select the rule in the workspace and clickEnable.

To disable a rule, select the rule and clickDisable.

To delete a rule:

a.

Select the rule and clickDelete.

b.

In the confirmation dialog, click Yes.

To assign a Correlation Engine to a rule: 

a.

Select the rule and clickAssign to Correlation Engine(s).

b.

In the Assign to Correlation Engine(s) dialog, select the Correlation Engine and click OK.

To remove all Correlation Engines currently assigned to a rule: 

a.

Select the rule and clickRemove assigned Correlation Engine(s).

b.

In the confirmation dialog, click OK.

To export rules to an XML file, select the rules and clickExport.

If the Save Table Layout1. A customizable configuration of panels containing fields, tables, and/or graphs. 2. The configuration and formatting of a table or Event-Relationship Diagram. feature is enabled (see Saving Table Layouts in the Configuration Manager), you can modify the table in the workspace and click Save Table Layout to save the updated layout for future use.

Tip	Your changes will not take effect until you push updates to your Managers (see Pushing Updates to your Managers).